Detecting Sybil Attack in Mobile Wireless Sensor Networks

In (Banković, Fraga, Moya, & Vallejo, 2012) machine learning algorithms have been used to detect unknown attacks in wireless sensor networks by considering the attacks as an anomaly in network communication. In this work, the algorithm has been tested for Sybil attack on both static and mobile WSNs. The attacks have been treated as data outliers, which have been detected using clustering algorithms. The algorithms can achieve 100% detection rates when less than 52% of the nodes are malicious and can detect the presence of the attack if less than 80% of the nodes are malicious.

In (Sharmila & Umamaheswari, Detection of sybil attack in mobile wireless sensor networks, 2012) a clustering algorithm has been proposed to detect a Sybil node in a mobile WSN, which consists of three phases:

1. One of the nodes is considered as the base station. With the help of this node and after considering the packet drop rate, the nodes with minimum packet drop are cho- sen as cluster heads. Cluster heads consider the nodes with power value lower than a threshold as suspicious.

2. When neighbouring nodes send messages to the Sybil nodes collision will happen be- cause all fake identifiers belong to the same physical node. Collisions can be used as an indication to detect the Sybil nodes.

3. Routing paths are checked to see if there any intermediate node (hub) between sus- picious nodes. If yes, the nodes are not Sybil, otherwise, they are identified as Sybil nodes.

As can be seen, the algorithm consists of three complicated phases, which makes it unsuitable for MWSN with limited resources.

In (Sharmila & Umamaheswari, Node ID based detection of Sybil attack in mobile wireless sensor network, 2012) an algorithm has been proposed to detect the Sybil nodes in mobile WSN which requires nodes to register themselves to the base station. The base station vali- dates and assigns an identifier to each legitimate node. Since this algorithm relies on the base station, it is not scalable.

In (Jamshidi, Zangeneh, Esnaashari, & Meybodi, 2017), an algorithm has been proposed to detect the Sybil attack in MWSN. The algorithm uses watchdog nodes to monitor the network and identify suspicious nodes. Watchdog nodes are normal nodes which are spread into the network and are specially programmed to collect information about the pattern of nodes movement. Therefore, the nodes are divided into two groups: sensor nodes (SN) and watch- dog nodes (WN).

The algorithm consists of two phases: monitoring and detection. In the monitoring phase, when one SN moves in the network and lies in the neighbourhood of one WN, the WN stores some information about the SN. The information is stored in a data structure called “Mov- ing_history”, which consists of two columns—Node_ID and Bit_label—where the former shows the node identity, and the latter contains the binary code of each WN which has previ- ously had this node in its neighbourhood. To minimise the size of Moving_history, the mini- mum number of bits are considered to uniquely identify each WN. If the number of WNs is q, the binary code of each WN consists log2 (q) bits. Figure 3-6 shows an example of deploying

nodes in the network which consists of three watchdog nodes: W1, W2, and W3, 10 Sybil nodes: S1-S10, and several sensor nodes including a, b, c, d, x, y, z, u, and v. Figure 3-7 shows the Moving_history of W1 after the first round of the algorithm.

Figure 3-6. An example of node locations in WSN Jamshidi et al., (2017).

23 Node_ID Bit_label S1-S10 00 x 00 y 00 z 00 u 00 v 00 d 00

Figure 3-7. The moving history of W1 in Figure 3-7 (Jamshidi, Zangeneh, Esnaashari, & Meybodi, 2017).

The algorithm relies on this fact when a malicious node moves in the network; all associated Sybil identities are also moved with it. Figure 3-8 shows the location of nodes after the second round of the algorithm when nodes relocated in the network. At the end of each round, WNs communicate with each other to send the history of nodes which were previously located in their neighbourhood to the WN which has these nodes in its neighbourhood after the current round of the algorithm. The new Moving_history of W1 and W3 are shown in Figure 3-9. As it can be seen in the figure, nodes x, y, and S1-10 moved to the neighbourhood of W3. Conse- quently, their histories are also moved from W1 to W3. The binary code of W3 (10) is also concatenated to their previous Bit_label, which consists the binary code of W1 (00).

Figure 3-8. Location of nodes after the second round of the algorithm (Jamshidi, Zangeneh, Esnaashari, & Meybodi, 2017).

Node_ID Bit_label Node_ID Bit_label

z 0000 x 0010

d 0000 y 0010

a 00 S1-S10 0010

b 10

Figure 3-9. Left: Moving_hisotry of W1; Right: Moving_history of W3 after the second round (Jamshidi, Zangeneh, Esnaashari, & Meybodi, 2017).

In this way, Sybil nodes have the same Bit_label. Therefore, in the detection phase, each WN searches its Moving_history to find the same Bit_labels with the length greater than a thresh- old. These nodes are considered as Sybil.

In (Shehni, Faez, Farshad, & Kelarestaghi, 2017) an algorithm has been proposed for detecting the Sybil attack in MWSN using watchdog nodes. In this algorithm, each watchdog uses two data structures, which are upper triangular matrices whose number of rows and columns equals to the number of nodes (see Figure 3-10). Each element (i,j) in Ak

co−prs is determined as

follows:

- (1,1): If both nodes i and j are in the neighbourhood of the watchdog node - (0,0): If none of the nodes i or j is in the neighbourhood of the watchdog node - (1,0): If node i is the neighbour of the watchdog node but node j not.

- (0,1): If node j is the neighbour of the watchdog node but node i not. After each round of the algorithm, Ak

co−prs is updated and renamed as Ak+1co−prs.

Figure 3-10 Data structures used in (Shehni, Faez, Farshad, & Kelarestaghi, 2017): a) Ak

25

In each round of the algorithm, the state diagram in Figure 3-11 is used to calculate each ele- ment of Ck

co−prs from Ak-1co−prs and Akco−prs.

Figure 3-11. The state diagram for calculating elements of Ck

co−prs (Shehni, Faez, Farshad,

& Kelarestaghi, 2017)

After several rounds of the algorithm, all watchdog nodes send their Ck

co−prs to a designated

watchdog to aggregate the elements. In the end, if the element (i,j) in Ck

co−prs exceeds a thresh-

old, it means that i and j are copies of the same node (i.e., Sybil identities). In simple words, the algorithm counts on this fact that the pattern of movement for Sybil nodes is the same. So, if they are both present or absent in the neighbourhood of a watchdog node, they are moving together.

The main issues of this algorithm are as follows:

- The memory overhead is high because of storing large matrices in watchdog nodes. - Since a watchdog must process all Ck

co−prs, it will become a single point of failure. If

this node becomes unavailable (for example, because of running out of the battery) the algorithm will crash.

- Since one watchdog node must process all Ck

co−prs matrices, there are some serious

3.3 Summary

In this chapter, I reviewed some of the existing researches about detecting the Sybil attack. As it was discussed in the previous sections, there have been many pieces of research around detecting and preventing Sybil attack in static WSN most of which are not suitable for mobile wireless sensor networks (MWSN) because most of these algorithms rely on the position of the nodes, RSSI, or collaboration between neighbouring nodes. (Yu, Lu, & Kuo, 2008) compared the complexity of some of the researches discussed in this chapter. The results are depicted in Table 3-1 where n is the number of nodes, d is the average number of neighbours for each node, and g is the number of sent messages from each node. As it can be seen from the table, these methods suffer from a significant overhead (both memory and communication) which could be a barrier to their scalability.

Table 3-1. Comparing the complexity of several Sybil detection algorithms (Yu, Lu, & Kuo, 2008)

Research Memory Communication

Broadcast (Parno, Perrig, & Gligor, 2005)

O(dn) O(n2₎

Deterministic Multicast (Parno, Perrig, & Gligor, 2005)

O(gn)

𝑂(𝑔 ln 𝑔 √𝑛 𝑑 ) Randomised Multicast (Parno, Perrig,

& Gligor, 2005)

O(√nn) O(n2)

Line-Selected Multicast (Parno, Perrig, & Gligor, 2005)

O(√nn) O(n√n)

(Brooks, Govindaraju, Pirretti, Vijaykrishnan, & Kandemir, 2007)

N.A. O(n log n)

(Zhang, Khanapure, Chen, & Xiao, 2009)

O(√nn) O(n√n) (Li & Gong, 2009) O(dn) O(dn√n)

In (Andalib & Jamshidi, 2016), the detection rate of some of the previous methods has been reported as shown in Figure 3-12 and Figure 3-13 which the former depicts true detection rate and the latter depicts false detection rate. (Demirbas & Song, 2006) has a very high true detection rate which means it can detect all Sybil nodes correctly. However, its false detection rate is also high which means it mistakenly considers some normal nodes as Sybil. On the other hand, (Dhamodharan & Vayanaperumal, 2015) and (Amuthavalli & Bhuvaneswaran, 2014) have very low false detection rates, but their true detection rates are also low. Therefore, none of these algorithms could achieve high true detection rate and low false detection rate at the same time. After all, these algorithms are only suitable for static WSN.

27

Figure 3-12. The true detection rate of several Sybil detection algorithms

Figure 3-13. The false detection rate of several Sybil detection algorithms

I also explained several algorithms for detection of Sybil attack in MWSN. A clustering algo- rithm proposed by (Sharmila & Umamaheswari, Detection of sybil attack in mobile wireless sensor networks, 2012) in which collision is an indication for detecting the Sybil nodes. This algorithm suffers from a high complexity.

Sharmila and Umamaheswari also proposed another algorithm for detecting the Sybil attack in MWSN, in which nodes must be validated by the base station (Sharmila & Umamaheswari, Node ID based detection of Sybil attack in mobile wireless sensor network, 2012). This algo- rithm is centralised and is not scalable.

0 20 40 60 80 100 120 Research

True Detection Rate

0 1 2 3 4 5 6 7 Research

I also explained the algorithm proposed by (Jamshidi, Zangeneh, Esnaashari, & Meybodi, 2017) and (Shehni, Faez, Farshad, & Kelarestaghi, 2017) for detecting mobile Sybil nodes in MWSN which uses watchdog nodes. Watchdog nodes are normal trustful nodes in the WSN which have been initially programmed to observe the network and report malicious behaviours. The former algorithm suffers from three problems:

- Its convergence is very slow which means that the algorithm needs many rounds of execution until its detection rate becomes acceptable.

- Observer nodes do not act independently when detecting the Sybil nodes because they need to send special messages to each other to detect the Sybil nodes.

While the shortcomings of the latter are as follows: - High memory usage

- Single point of failure - Lack of scalability

In the next chapter, I propose a new algorithm for detecting the Sybil attack in MWSN which overcomes the shortcomings of the algorithms proposed by (Jamshidi, Zangeneh, Esnaashari, & Meybodi, 2017) and (Shehni, Faez, Farshad, & Kelarestaghi, 2017).

29